13

I have found a major security hole in one of my company's public facing site. This is our first public facing site that was converted from an intranet site. I brought this issue up to my boss and they essentially shrugged it off, saying that it would take a good deal of work to re-architecture the site to make it secure.

This has really bothered me and I have thought about exploiting the hole to show the effects that this could happen if an actual hacker got to it. This is probably not the best idea as the effects could cost me my job if not something worse.

What are some things I can do to show the magnitude of the situation to management?

Improve this question
1
  • 8
    Make sure you have everything in writing. Including your mention of the security hole and their dismissal of it. Commented May 9, 2012 at 3:48

2 Answers 2

Reset to default
13

A manager's responsibility is to manage risk.

When a cross-scripting security hole was discovered in Gmail, this presented a very critical risk that the team quickly worked to resolve. Because there are millions of Gmail users, if I wrote a Web application that exploited this flaw, there would be a good chance that users of my Web application may be using Gmail and may have it open in another tab. Thus, as a phisher, it may be worth it to me to build such an application to gain access to user data.

The question your manager may be asking himself or herself is this: How risky is this security hole? What is the likelihood that there is a Web application out there that is targeting this particular security hole on this particular site? What is the risk that employees who are visiting our Website are also using this third-party website?

In my experience, if your site isn't getting a ton of traffic, then there isn't a ton of risk.

Your boss may be thinking that the opportunity cost of not fixing this particular security hole which may or may not be a problem, is that he or she instead can focus resources on activities that will help grow the business and generate revenue.

With that said, there was an issue very similar to this where Github was hacked, and there is a question on Project Management SE that covers this topic from a project management perspective. The user who hacked Github was in a similar situation as you, and his Github privileges were suspended for a time period.

My question to you is this: What happens to your business if the site does go down? What is the likelihood that you'll even see this security hole exploited?

If you do choose to pursue this, you'll need to objectively obtain evidence that this is a very real, imminent threat to the viability of the business.

Here are some suggestions for obtaining evidence that this is a real problem:

  • Perform Google searches looking for news articles, blogs or other experiences of companies that have experienced major issues as a result of a similar, related security hole. Demonstrate that this is indeed a risk that is worth addressing in lieu of other business opportunities.

  • Discuss with other technical personnel on the team and get their insight. If the issue is really severe, you should be able to find others who can back you up as well. If not, then either your concerns are not warranted or you have major issues in security in your company culture.

  • Discuss other options with your IT department for patching the hole that involve quicker-fix solutions that -- although not ideal -- may mitigate the risk and give you some peace of mind without breaking the corporate piggy bank. Sometimes a small amount of work can help eliminate some of the risk, if not all.

If the above points don't work, then my consider letting this go, and know that these issues are just going to be a normal part of business risk management.

Improve this answer
6
  • 2
    I feel that this answer doesn't cover enough of the topic. The nature of the security hole wasn't mentioned in the OP; for all we know it could allow attackers to retrieve credit card information from their database, which can be disastrous, not to mention that it could have legal ramifications if ignored. Commented May 9, 2012 at 3:55
  • +1: in the end of the day a) it's about costs vs. benefits and people with decision rights will make the decisions and b) nature of the security hole wasn't mentioned, but I bet that management knows way more about it than any of us on this board. So yeah, OP brought the issue up and now we are back to "manager's responsibility is to manage risk" Commented May 9, 2012 at 4:03
  • @Daenyth - You're absolutely right. Thank you! I added some suggestions as bullet-points to address the issue, should the op decide to pursue. After all, it really could be a severe, crippling issue that may not only affect the company but millions of users' security. Commented May 9, 2012 at 4:06
  • @jmort253: Update is much better - +1 from me! Commented May 9, 2012 at 4:09
  • 1
    Jim, I don't know how experienced you are or how many other developer jobs you've had, but I think you're going to run into this when you go other places. The purpose of any business is to make a profit, and I think sometimes developers who are divorced from the operational and financial side of the business forget that the purpose of a business is to make a profit. Also, consider this: Your area is not the only area where risks exist. Perhaps your manager sees an even bigger risk in not focusing on building the sales team, or releasing a time-sensitive product or marketing plan. Commented May 9, 2012 at 14:14
10

If you have equity, push to schedule a weekly or monthly meeting to review security concerns and then this can just be an item on that agenda. Moving the focus from the particular issue to the general area is often an effective technique.

If you don't have equity, move on.
You've raised the issue to management and they've passed. You can try again if it's important to you. And again if it's really important. If it's really really really important, get another job and tell potential employers why. The ones that value ethics the most will probably appreciate it.

Also bear in mind that if you've raised the issue and got a no you are now faced with changing people's mind which is very hard. I would go down the path of getting them to agree with you and give you yes's. e.g. "we both want the company to success". Yes. "I know we both care about security". Yes. "We know we've got a very limited budget to address such items". Yes. Get a few of these then start steering towards some schedule for making the security fixes.

Another 'softer' approach is to agree that you don't have the time/resources to do this now. But can you push for agreement on a date that it will be addressed. It can be in a week, or a month, or 6 months. Usually time flies and then you're there.

Improve this answer
1
  • I would make sure that I put my warning in writing and kept a copy, but if you have let the correct people know then you have done the right thing. What they choose to do with it, well that is their problem. Commented May 9, 2012 at 6:39

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.